We found hacked .htacces files in the root of every site on our shared host!

Some of our domains started coming up as Infected in Google's search results. So we started looking on the server and found that most of the domains on our BlueHost account had a new .htaccess file. Even domains that had not had one at all before had a new one.

Upon inspection we discovered that each of these new .htaccess files had new rules that invoked a 301 redirect to another infected server when a user came to our sites from a search engine, or if there was an error on the page (404, 500, etc.) the user would also be redirected.

One of the tell-tail signs that these line in the .htaccess files were malicious was that they were heavily indented, You might not even see anything when you open the file unless you have line-wrap on or have it open on a high resolution screen in a wide window. You can see in the screenshot above how the code starts far to the right of the screen and wraps many time.

We manually removed th infected lines of code and replaced missing lines in each of these files. Believing that we had fixed it we decided to take a closer look later to figure out how the hack was planted.

Tags: , ,

2 Comments on "We found hacked .htacces files in the root of every site on our shared host!"

  • On September 12, 2012 at 4:17 am, Lbsadmin said:

    The same thing has just happened to my bluehost account…
    Did you find out where it was originally planted or how?

    • On September 12, 2012 at 5:36 am, Anti-Malware Admin said:

      The hacks on my server were being planted using on old version of timthumb.php (sometimes also named timthumb.php) that came with some themes on various sites. My Anti-Malware Plugin will patch any old versions it finds. You just need to make sure you scan and fix every site on your account.


Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>